Notice that SSL is enabled in all examples. Your LDAP server may or may not require SSL. If you do not require SSL (if you set AD to not require signed communications), you can set that option to "false". Be aware that doing so will cause your domain user's passwords to be sent across the network in clear text, which makes your system susceptible to man in the middle attacks, replay attacks, and other nasty attacks.

For SSL to work, you must install an SSL certificate on your LDAP server, your wiki's server must trust the LDAP server's CA, and the DNS name of your LDAP server must resolve to the CN field of the certificate issued to your LDAP server.

Remember, if your web server does not use SSL (URL does not start with https://), your password will be transmitted in clear text from the client browser to the web server. This is independent of the SSL settings described below from the web server to the LDAP server.

In this example, we have an Active Directory (AD) server, and we will be doing straight binds to the directory. This is not how typical LDAP authentication operates as it does not attempt a search first, see #Single Domain Requiring Search Before Binding.

Our AD servers are "exampleldapserver.example.com" and "exampleldapserver2.example.com", and the domainname is "EXAMPLEDOMAIN". "USER-NAME" is not to be changed as this string is replaced in LdapAuthentication.php.

Extra configuration for AD to allow for preference pulling, group sync, etc.[edit]

If you want to be able to pull preferences, and such, you'll need to set a couple other options. These other options will allow the plugin to bind as the user, and then search for the user's DN. Without a DN, any extras provided by the extension will fail.

This is typically how LDAP authentication is performed. First, a search is performed for the identifier presented (username) and a DN is returned. This DN is then used with the password provided to attempt a bind against the LDAP server. This is useful in cases when the username does not match anything in the DN or users are stored in multiple OUs.

In this situation, you could use the "Single Domain Requiring Straight Binding Only" as AD will search through multiple OUs for you anyway. Using the Straight Binding approach is generally recommended for AD.

Our AD servers are "exampleldapserver.example.com" and "exampleldapserver2.example.com", and the domain is "EXAMPLEDOMAIN".

Our naming attribute for users is "sAMAccountName", some users are kept in "ou=accounting,ou=Users,dc=exampledomain,dc=example,dc=com", and other users are kept in "ou=graphics,ou=Users,dc=exampledomain,dc=example,dc=com".

With this approach, if your server doesn't allow anonymous searching (AD doesn't, normally), you'll need to use a proxy agent. The proxy agent is a low privilege domain user service account which should have the rights to enumerate user objects and read their attributes but should not have create/modify/delete rights.

In this example, the proxy agent entry is at "cn=proxyagent,ou=Users,dc=exampledomain,dc=example,dc=com".

If you are using multiple domains, this is your most likely scenario. In this example, we have two different domains that are not part of a single-sign-on enviroment.

The AD domain is called "ADDOMAIN", and has servers named "exampleldapserver.example.com" and "exampleldapserver2.example.com". The non-AD domain is called "NonADDomain", has servers named "nonadserver.example.com", "nonadserver2.example.com", and "nonadserver3.example.com", and users are stored in "ou=people,dc=example,dc=com". In this example, we do not require the ability to change passwords, or create new LDAP users through Mediawiki, just authentication.